I'm trying to implement a Single Sign On (SSO) for a web application. Maybe you can help me find a proper solution, give me a direction or tell me, that solutions already exist.

The scenario: A GeoExt (ExtJS for geodata/map based apps) webapp (JavaScript only) has a login form to let the user authenticate himself. The authentication is not implemented yet, so i'm flexible with respect to that.

After authenticating to the main webapp the user indirectly accesses multiple 3rd-party services like WebServices, GeoServer WFS, Google Maps, etc. These services might require additional authentication like credentials or keys. We are (so far) not talking about additional login screens, just some kind of "machine to machine"-authentication.

The main problem: I'm unable to modify the 3rd party services (e.g. Google) to add a SSO mechanism.

I'd like to have a solution that allows the user to log in once to have access to all the services required. My first idea was a repository that stores all the required credentials or keys. The user logs in and can retrieve all required information to acces sthe other services. Does anybody know of existing implementations, papers, maybe implementations of such services?

Other requirements: The communication between the JS application and the repository must be secure. The credentials must be stored in a secure manner. But the JS app must be able to use them to access the services (no chance to store a decryption key in a JS-app securely, eh? *g).